Context
Both open bug reports on this repo (#1/#3) are the same root cause: bundled SKILL.md
files fail YAML frontmatter parsing on an unquoted colon. That's a packaging/validation gap,
not an enforcement-hook gap -- but it's the same family of problem as what prompted this
issue: something that looks fine in the source repo but breaks for the actual consumer.
This is a converged recommendation from two independent cross-model reviews (Fable 5 and
Codex/GPT-5.5 xhigh) asked in parallel: whether Codex-CLI-family sibling wizards
(codex-sdlc-wizard, codex-rdlc-wizard, codex-gdlc-wizard, opencode-sdlc-wizard) need
independent Fable-led bloat/bug audits, or should inherit lessons more cheaply. Both converged
on the same answer for this repo: not an independent audit -- a host-native smoke-test
requirement.
Why not a full audit
codex-sdlc-wizard (this repo's sibling) already independently hit and fixed the exact
"enforcement hook that looks like it blocks but doesn't" bug class that prompted this sweep
(codex-sdlc-wizard#38, #39, closed May 2026, found via real usage on Snowcone and
m180-jumpseat) -- discovered before claude-sdlc-wizard hit the same shape in its own
hooks (claude-sdlc-wizard#436, #437). That's real evidence a full audit isn't the cheapest
way to catch this class of bug here; a targeted test is.
Proposal
Per Codex's own review (it has direct knowledge of its own hook mechanism that a bloat audit
wouldn't specifically target): a host-native, black-box smoke test per enforcement hook --
not a unit test that invokes the hook script directly, which only proves the script's own
logic, not that Codex actually loaded/trusted/enforced it. Each test should:
- Install/load the hook exactly as a real user gets it.
- Confirm Codex actually considers it trusted (or deliberately bypass trust for CI, and test
that path separately).
- Drive the forbidden action through the real CLI path -- not a direct script call.
- Assert both the user-visible blocking message AND the actual blocked/continued behavior.
- Add a "hook present but untrusted/disabled" case as its own test, so a release can't
silently ship enforcement that never got trusted.
- Include representative bypass strings (quoted flags with spaces, absolute binary paths --
both bypass patterns already proven to work against codex-sdlc-wizard's hooks per #38/#39).
If this repo has real shipped enforcement hooks today, this is worth doing now. If enforcement
here is still thin/aspirational, this is worth baking into whatever implementation plan exists
before treating it as done.
Submitted as part of a cross-repo self-enforcement review pass
(see claude-sdlc-wizard#236 -> PR #440, and codex-sdlc-wizard#58).
Context
Both open bug reports on this repo (
#1/#3) are the same root cause: bundledSKILL.mdfiles fail YAML frontmatter parsing on an unquoted colon. That's a packaging/validation gap,
not an enforcement-hook gap -- but it's the same family of problem as what prompted this
issue: something that looks fine in the source repo but breaks for the actual consumer.
This is a converged recommendation from two independent cross-model reviews (Fable 5 and
Codex/GPT-5.5 xhigh) asked in parallel: whether Codex-CLI-family sibling wizards
(
codex-sdlc-wizard,codex-rdlc-wizard,codex-gdlc-wizard,opencode-sdlc-wizard) needindependent Fable-led bloat/bug audits, or should inherit lessons more cheaply. Both converged
on the same answer for this repo: not an independent audit -- a host-native smoke-test
requirement.
Why not a full audit
codex-sdlc-wizard(this repo's sibling) already independently hit and fixed the exact"enforcement hook that looks like it blocks but doesn't" bug class that prompted this sweep
(
codex-sdlc-wizard#38,#39, closed May 2026, found via real usage on Snowcone andm180-jumpseat) -- discovered beforeclaude-sdlc-wizardhit the same shape in its ownhooks (
claude-sdlc-wizard#436,#437). That's real evidence a full audit isn't the cheapestway to catch this class of bug here; a targeted test is.
Proposal
Per Codex's own review (it has direct knowledge of its own hook mechanism that a bloat audit
wouldn't specifically target): a host-native, black-box smoke test per enforcement hook --
not a unit test that invokes the hook script directly, which only proves the script's own
logic, not that Codex actually loaded/trusted/enforced it. Each test should:
that path separately).
silently ship enforcement that never got trusted.
both bypass patterns already proven to work against
codex-sdlc-wizard's hooks per #38/#39).If this repo has real shipped enforcement hooks today, this is worth doing now. If enforcement
here is still thin/aspirational, this is worth baking into whatever implementation plan exists
before treating it as done.
Submitted as part of a cross-repo self-enforcement review pass
(see
claude-sdlc-wizard#236-> PR #440, andcodex-sdlc-wizard#58).